Factory pools on Curve Finance are vulnerable to a reentrancy vulnerability, a critical security vulnerability that arises when the external call to a contract is interrupted and recalled before it is completed, potentially allowing attackers to maliciously siphon funds or break the logic of the exploit contract. This vulnerability resulted in significant outflows in various connected pools in excess of $26 million.
According to Beosin security analysts, the attacker targeted the factory pools of several Curve projects: JPEGd, Metronome, and Alchemix.
JPEGd’s pETH-ETH factory pool on Curve saw an outflow of $11.4 million. Close behind, the Metronome’s sETH-ETH pool saw a move of $1.6 million. However, it was Alchemix’s alETH-ETH pool that saw the most significant activity, with a sizable $13.6 million being settled.
According to estimates by security firm BlockSec, total asset outflows related to this security incident at Curve pools have so far exceeded $41 million.
Curve Finance is a decentralized exchange (DEX) optimized for efficient stablecoin trading. Over time, it has expanded its offering to cover other types of assets as well. Factory pools describe a system in which new liquidity pools can be created using a standardized framework or “factory”. Rather than the Curve team manually creating each pool, this system offers a more permissionless approach, allowing projects or individuals to start their own liquidity pools while leveraging Curve’s infrastructure.
Vulnerabilities in the Vyper version
Today’s outflows involved a sequence of interactions. They started with a flash loan that apparently exploited the reentry vulnerability associated with certain older compiler versions of Vyper – the smart contract programming language used to write the code for these factory pools, according to Igor Igamberdiev, the research lead at Wintermute explained.
Vyper has acknowledged that its versions 0.2.15, 0.2.16 and 0.3.0 are prone to buggy re-entry locks and investigations are ongoing.
While the immediate response was dominated by concerns of a massive security breach, on-chain data suggests that MEV bots may have carried out some of these frontline transactions. This has led to speculation that whitehat hackers may be involved.
“We’re conducting a major white hat rescue. Please contact us if you think you are affected as a project,” announced a security researcher using the alias “pcaversaccio” on Twitter.
© 2023 The Block Crypto, Inc. All rights reserved. This article is for informational purposes only. It is not offered or intended to be legal, tax, investment, financial or other advice.
Learn Crypto Trading, Yield Farms, Income strategies and more at CrytoAnswers
https://nov.link/cryptoanswers
Comments are closed.